Christopher Ahearn

Take me to the Shodan - Right Click your way to additional data

Blog Post created by Christopher Ahearn Employee on Feb 9, 2017

The RSA Netwitness Suite has a lot of data flowing into it.  However, it does not take in everything.  Context, which is necessary to properly maintain situational awareness, can come from other sources and can help analysts find answers to the questions they have.  One such source is Shodan.


Shodan is a search engine that can be used to find information about computers and other devices that are connected to the Internet.  From web servers to web cameras...routers to refrigerators.  Shodan has a wealth of information about those IP addresses and hostnames and that information can be queried with an authorized account.  This could tell you public information about your own organizations systems and address space that you were not aware of previously.


To make the search a little easier, you could take IP's and hostnames found in the RSA Netwitness Suite and pivot into a Shodan search for them.


I created a couple of right-click plugins that could be used on the RSA Netwitness server in the Investigations module.  They can be created in the following way:


Go to your server with an administrator account and go to Administration, System and click on the Context Menu Actions.  Then, click on the ( + ) plus icon.



Then, copy and paste the text from the plugin file into Context Menu Configuration editor box.  Since there is one for IP addresses and another for Hostnames, you would perform this task twice.



When finished, click ( OK ).  This will save the plugin.


You should now see two new plugins in your list.



You will likely have to close or refresh the Investigator browser tab and reopen it.  Then, right click on either the IP address or meta and you should see the option for an External Lookup into Shodan.




Hopefully, this provides you with a bit more knowledge and understanding about the data you see every day.


Good luck and happy hunting.